www.ijmer.com
International Journal of Modern Engineering Research (IJMER) Vol. 3, Issue. 5, Sep - Oct. 2013 pp-2770-2772 ISSN: 2249-6645
Layered Approach & HMM for Network Based Intrusion Dection Archana patil, A. T. Bhole ABSTRACT: In this, we are using two techniques together as signature based and anomaly based called as Hybrid technique. Anomaly detection, where the strategy is to suspect of what is considered an unusual activity for the subject (users, processes, etc.) and carry on further investigation. This approach is particularly effective against novel (i.e. previously unknown) attacks. Signature based detection systems detects previously known attack in a timely and efficient way. The main issue of this approach is that in order to detect an intrusion this must to be previously detected. This Hybrid technique gives better result than signature based and anomaly based technique. Also we are using here layered approach to get result faster ,because in layered approach we have different four layers as prob,U2R,R2L,DOS and we assigned different features to different layer so that if any layer find attack at that layer that attack will fix ,that attack should not go further .Main aim of this paper is to increase accuracy and efficiency .
Index Terms: Intrusion detection, Layered Approach, Hidden Markov Model, network security, decision trees, naive Bayes.
I.
INTRODUCTION
Intrusion detection is defined as ``the problem of identifying individuals who are using a computer system without authorization (i.e., `crackers') and those who have legitimate access to the system but are abusing their privileges (i.e., the `insider threat')''.Also we can say that the identification of attempts to use a computer system without authorization or to abuse existing privileges. According to Heady et al. where an intrusion is defined as ``any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource'', disregarding the success or failure of those actions.[12] The definition of an intrusion detection system does not include preventing the intrusion from occurring, only detecting it and reporting it to an operator.[12] There are two types of intrusion detection depending on way their components are distributed 1. A centralized intrusion detection system is one where the analysis of the data is performed in a fixed number of locations, independent of how many hosts are being monitored. We do not consider the location of the data collection components, only the location of the analysis components. Eg: IDES, IDIOT . 2. A distributed intrusion detection system is one where the analysis of the data is performed in a number of locations proportional to the number of hosts that are being monitored. Again, we only consider the locations and number of the data analysis components, not the data collection components . Eg: DIDS, GrIDS. Also Intrusion detection is divided into : 1. Anomaly detection, where the strategy is to suspect of what is considered an unusual activity for the subject (users, processes, etc.) and carry on further investigation. This approach is particularly effective against novel (i.e. previously unknown) attacks. Its main drawback is the high rate of false positives, because any legitimate but new activity can rise an alert. 2. Signature detection, where the strategy is to look for some special activity (signature) of previously known attacks. Signature based detection systems detects previously known attack in a timely and efficient way. The main issue of this approach is that in order to detect an intrusion this must to be previously detected. Previously there is only one technique is used at a time but In this we are using both as signature based and anomaly based combine called as hybrid based technique .That is we are developing hybrid system using HMM based layered approach for NIDS. We also integrate the Layered Approach with the HMMs to gain the benefits of computational efficiency and high accuracy of detection in a single system. By using this we get fast result because we are using layered approach .Layered approach means we have different four layers as PROBE , DOS , U2R ,R2L and for every layer different different features are assigned and whenever we got some malicious attack that attack must be detected at that moment ,that attack should not go further. Due to this technique speed of our operation increase. A hidden Markov model(HMM) is a statistical generative model in which the system being modelled is assumed to be a Markov process with unobserved state. An HMM can be considered as the simplest dynamic Bayesian network. An HMM is like a finite state machine in which not only transitions are probabilistic but also output. An HMM is a doubly stochastic process with an underlying stochastic process that is not observable, and can only be observed through another set of stochastic processes that produce the sequence of observed symbols . HMM is a useful tool to model sequence information. This model can be thought of as a graph with N nodes called „stateâ€&#x; and edges representing transitions between those states. Each state node contains initial state distribution and observation probabilities at which a given symbol is to be observed. An edge maintains a transition probability with which a state transition from one state to another state is made.
www.ijmer.com
2770 | Page